DocumentationHow to troubleshoot SAML related issues in AEM
How to troubleshoot SAML related issues in AEM
Description
Environment
Experience Manager
Issue/Symptoms
How can we troubleshoot Security Assertion Markup Language (SAML) related issues with Adobe Experience Manager (AEM)? What information would be required to troubleshoot?
Resolution
Infinite loop Issue:
Check if ds:signature is part of SAML assertion If not, This is to be done on IDP end and check the checkbox for signed Assertion
Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox
Check if SAML Certificate is in proper format:
Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
This can be then used to install in AEM truststore and match certificate details with IDP.
Encryption:
First always complete SAML setup without encryption. When this is done then enable encryption. Using this way it is easy to debug the issue
Dispatcher:
Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.
/0100
Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format
This error means, IDP has encrypted the assertionand there is no private key to decrypt the response. If you want to encrypt the response, you need to upload a valid private key in the AEM keystore.
Information to provide when raising a SAML related Support ticket: